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Abstract —We study oblivious transfer (OT) between Alice and 
Bob in the presence of an eavesdropper Eve over a degraded 
wiretapped binary erasure channel from Alice to Bob and Eve. 
In addition to the privacy goals of oblivious transfer between 
Alice and Bob, we require privacy of Alice and Bob’s private data 
from Eve. In previous work we derived the OT capacity (in the 
honest-but-curious model) of the wiretapped binary independent 
erasure channel where the erasure processes of Bob and Eve are 
independent. Here we derive a lower bound on the OT capacity 
in the same secrecy model when the wiretapped binary erasure 
channel is degraded in favour of Bob. 

I. Introduction 

In secure multiparty computation, mutually distrusting users 
want to collaborate in computing functions of their data. They 
want to do this in such a way that no user derives additional 
information about other users’ data than the function they 
compute. This has applications in several areas including data- 
mining, voting, auctions etc. 0. In general, secure computa¬ 
tion is not possible between users who only have access to 
private/common randomness and noiseless communication 0. 
Eor two-user secure computation, a noisy channel between 
the users (in addition to a noise-free public channel) provides 
a stochastic resource on which secure computation can be 
based 0. Oblivious transfer (OT), which is a specific two- 
user secure computation, has been proposed as a primitive on 
which all secure computation can be based 0 , 0 , and OT 
itself can be obtained from noisy channels. 

In l-of-2 string OT, one of the users, say, Alice, has two bit- 
strings of equal length. The other user, say. Bob, wants to learn 
exactly one of the two strings. Bob does not want Alice to hnd 
out which of the two strings he wants, while Alice wants to 
ensure that Bob does not learn anything more than one of the 
strings. The OT capacity of a discrete memoryless channel is 
the largest rate of the string-length per channel use that can be 
achieved. We assume that the users are honest-but-curious, that 
is, they follow the protocol agreed upon but they may try to 
gain illegitimate information about the other user’s private data 
from everything they have learned at the end of the protocol. 
Eor such users, Nascimento and Winter 03 obtained a lower 
bound on the OT capacity of noisy channels and distributed 
sources. Ahlswede and Csiszar 0 obtained lower bounds on 
the honest-but-curious OT capacity for generalized erasure 
channels. These lower bounds are tight when the erasure 
probability is at least i. Pinto et. al. ca showed that, for 
erasure probability at least i, the OT capacity of generalized 


erasure channels remains the same even when the users are 
malicious, that is, even if a dishonest user arbitrarily deviates 
from the protocol. 

Presence of third parties is a natural concern when using 
noisy channels. Motivated by this, OT over wiretapped binary 
erasure channel was studied in HU. Building on the ideas 
from 0, Da, the OT capacity of this channel was charac¬ 
terized there for the honest-but-curious model. Both 2-privacy, 
where the eavesdropper may collude with either Alice or Bob, 
and 1-privacy, where there are no collusions, were considered. 
In ina, the problem of performing independent OTs between 
Alice and each of the other parties over a binary erasure 
broadcast channel was considered. Inner and outer bounds on 
the OT capacity region were presented which meet except in 
one regime of parameter ranges. 

Here we study the OT capacity of the degraded wiretapped 
binary erasure channel. The problem presents some interesting 
new features. Oblivious transfer relies on the noise in the 
legitimate channel (Alice-to-Bob channel) to hide information 
of Alice and Bob from each other. In a degraded erasure 
channel, the wiretapper obtains more information about the 
noise process on the legitimate channel (compared to an inde¬ 
pendent erasure channel where it receives no information on 
this noise process from the channel). Our achievable scheme 
is in fact more involved compared to the one in CD, d 
precisely because of this fact. This is in contrast with secret 
key agreement using broadcast channels with public discussion 
where optimal schemes are simpler for the degraded channel in 
the sense that no public discussion is needed to achieve secret 
key capacity when the channel is degraded 0, Col- While 
we do not prove the optimality of our scheme, we believe that 
the additional complexity is unavoidable. 

In Section [III we present the formal problem dehnition. 
The main result is presented in Section |III1 and the proof is 
presented in Section |IVl 

II. Problem Statement 

In the setup of Eig. [T] Alice is connected to Bob and an 
eavesdropper Eve over a broadcast channel Pyz\x- Addition¬ 
ally, there is a public channel of unlimited capacity, over which 
Alice and Bob can take turns to send messages. Each message 
sent over this public channel is received by all users. Alice’s 
private data is a pair of strings Kq, Ki which are m-bit each, 
while Bob’s private data is a choice bit U. Ko,Ki,U are 
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Fig. 1; Setup for oblivious capacity over a broadcast channel 

independent and uniform over their respective alphabets. The 
goal is for Alice and Bob to do an OT using {Kq, Ki,U), 
without Eve learning anything about {Kq, Ki, U). 

We consider the degraded broadcast channel setup shown in 
Fig. 13 This is a special case of Fig. [1] Here the broadcast chan¬ 
nel Pyz\x is made up of a cascade of two independent binary 
erasure channels (BECs), BEC(ei) with erasure probability ei 
followed by a BEQea)- That is, X e {0,1}, Y, Z € {0,1, e}, 
and pyz\x = Py\xPz\y with pr|x(e|l) = Pr|x(e|0) = 
ei, Pv|x(l|l) = Py|x(0|0) = 1 - n, and Pz|y(e|e) = 
l)Pz|r(e|l) = Pz|y(e|0) = € 2 , pz|y( 1|1) = Pz|r(0|0) = 
1 — €2- 

Definition 1. Let n, m be positive integers. An (n, mj-protocol 
is an exchange of messages over the setup of Figure\I\ Alice 
transmits a bit over the broadcast channel Pyz\x each time 
instant t = 1,2,... ,n. Alice’s private strings are m-bits each. 
Before each channel use by Alice and also after Alice’s last 
channel use, Alice and Bob can take turns to send an arbitrary 
but finite number of messages over the public channel. 

We denote by F the transcript of the public channel at the 
end of the protocol. 

Definition 2. The final view of a user is the set of random 
variables it generates and receives over the execution of 
the protocol. The final views of Alice, Bob and Eve are, 
respectively, 

Va:= {Kq,KyX’-,¥), 

Vb-.= (c/,r",F), 

Ve- (Z",F). 

At the end of the protocol. Bob generates an estimate Kjj 
of Kjj, as a function of its final view Vb. 

Definition 3. The rate r„ of an (n,m)-protocol is 

Tn ■■= — ( 1 ) 

n 

Definition 4. A rate R is achievable in the setup of Figure [7] 
if there exists a sequence of (n,m)-protocols such that, as 
n —> 00 , Tn —> R and 


P[Ku f Ku] - 

-aO, 

(2) 

I{Kjj-,Vb)- 

-A 0, 

(3) 

I{U-,Va)- 

-A 0, 

(4) 

I{Kq,KyU-,Ve) - 

-A 0. 

(5) 


Definition 5. The capacity C in the setup of Figure Q] is 

C := sup{i? : R is achievable} (6) 
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Fig. 2; Setup for oblivious transfer over a degraded binary 
erasure broadcast channel 

III. Summary of Results 

Our main result is a lower bound on C, for the setup of 
Figure |2] 

Theorem 1. 

min 1 ^ 62(1 - ei),ei| <C < min{e 2 (l - ei),ei}. 

Hence, when ei < ^£ 2(1 — ei), we have C = ei. Note 
that the upper bound of £ 2(1 — ei) in Theorem [1] follows from 
the fact that OT capacity is upper bounded by the secret key 
capacity of the wiretapped channel. This is because if Bob runs 
the protocol with the choice bit set deterministically to, say, 
0, then Kq is a secret key between Alice and Bob. The upper 
bound follows from the fact that £ 2(1 — £ 1 ) is the secret key 
capacity of this wiretapped channel with public discussion ifll . 
lITOl . The upper bound of £1 follows from fact that this is an 
upper bound for two-party OT capacity of the binary erasure 
channel with erasure probability £1 d. 

Section |IV] gives a protocol that is used to prove the lower 
bound part of Theorem [T] 

IV. Achievability of Theorem[T| 

In this section, we will describe a protocol which will 
be used to show that the lower bound in Theorem [T] is an 
achievable rate. We begin by presenting the main ideas used 
in this protocol, before presenting a formal description for it. 

Let r be any rate smaller than min{i£ 2 (l — £i),£i}. In 
the protocol, Alice begins by transmitting a sequence X" 
of independent bits, each equally likely to be 0 or 1. Bob 
receives the corresponding erased version F", while Eve gets 
Z" which is an erased version of F” (see Figure |2]i. Let E 
denote the set of indices at which F" has erasures, and let E 
be its complement. Out of the set E, Bob picks a good set G of 
size |G| = nr uniformly at random. Similarly, Bob also picks 
a bad set B of size \B\ = nr uniformly at random out of set 
E. Let G := E\G denote the unerased indices which are not 
in G. Note that, IGj is approximately n(l — £1 — r). Similarly, 
B := E \ B is the set of erased indices which are not in B, 































and |B| is approximately n(ei — r). If 17 = 0, Bob assigns sets 
{Lq,Li) = {G,B), otherwise Bob sets {Lq.Li) = {B,G). 

Bob first declares the sets G, B over the public channel. 
Thereafter, Bob forms sequential, disjoint subsets (Gl, Gs) of 
the set G, where \Gl\ is about and \Gs\ is about 
Both Gl and Gs will be used to generate secret keys known 
to both Alice and Bob, but hidden from Eve. Note that for 
r < min{ie 2 (l — ei),ei}, all these sets of the required sizes 
can be formed. 

Alice and Bob use the set of transmissions to agree 

on a secret key Sl, secret from Eve. The size of Sl is 2nr 
bits. Similarly, Alice and Bob use f°™ ^ secret 

key So and -^"Il^uGs form a secret key Si. Here, jiSol = 
IS'il = nr. 

Bob now needs to reveal {Lo,Li) to Alice, while hiding 
both these sets from Eve, so as not to reveal U to Eve. Towards 
this goal. Bob forms a set L which is an ordered version of 
the set Lq U Li. Then, Bob forms a binary vector Q of length 
2nr as follows. Eor alH = 0, 1, ..., 2nr — 1, the ith element 
of Q, denoted by Qi will indicate whether the ith element of 
L, denoted by Li, belongs to Lq or Li. That is, Qi — 0 when 
Li G Lq, otherwise Qi = 1. Bob now sends Sl®Qio Alice, 
which is sufficient for Alice to recover (Lq, Li). 

Alice finally sends the encrypted strings Kq © Sq and 
Ki © Sl to Bob over the public channel. Since Bob knows 
Sjj completely (since he knows recover 

Ku. 

Before presenting the protocol more formally, we point 
out a comparison with the independent erasure case of im. 
In the independent erasure channel, since Eve has no side 
information about the erasure pattern of Bob, there is no 
need for Bob to encrypt {Lo,Li) before sending it over the 
public channel. The additional burden of encrypting Lo,Li 
here requires Alice and Bob to generate a secret key Sl which 
is twice as long as each string K. Along with Su, effectively, 
Alice and Bob agree on secret keys which are together thrice 
as long as each string K. This explains the i factor in the rate 
achieved. 

Protocol 1. Let 5 € (0,1). Let I 2 = £ 2(1 — <^)- Let r = 
min{-le 2 (l — ei) — 05 ,ei — <5} be the rate to be achieved, 
where 6s = (5(1 + j^). 

Alice Transmits a sequence of independent bits, 

equally likely to be 0 or 1, over the broadcast channel 
in Figure E] 

Bob Receives the sequence from the output of 
BEC(ei) and forms the erased and unerased sets of 
indices of E" as, respectively, 

E:={iG{l,2,...,n}:Y^ = e} 

E:= {iG{l,2,...,n}:Y,^e} 

If \E\ < n(l — Cl — 5) or \E\ < n(ei — S), Bob 
declares an error and quits. Otherwise, Bob proceeds 
and forms the following sets out of E and E: 


G := !/«//'{A G E ■.\A\= n{r + 5)} 

B := Unif{A C E ■.\A\= n{r + (5)} 

G := E\G 
B := E\B 

where Unif{.} denotes a random, uniformly dis¬ 
tributed, choice over the collection of sets. Note that 
|G| > n(l — ei — r — (5) and \B\ > n{ei — r — S). 
Bob reveals the sets G, B over the public channel. 
Bob now forms the sets Lq,Li as follows: 

U = 0: Lo = G, Li = B 

U = 1: Lo = B, Li=G 

Let L be an ordered version of the set Lq U Li. Bob 
forms a binary vector Q of 2nr bits, with elements 
labelled Qi, t = 0,1,..., 2nr — 1 defined as: 

0, Li G Lq 
1, Li G Li 

Bob takes the first indices in G and calls it 

set Gl- Bob also takes the next ifnUf-gg iyi 

_ _ <^2 _ 

G and calls it set Gs- One can verify that \Gl \ + 
|Gs| < |G|. Bob then forms a secret key Sl using 
X'^\q^, where Sl is known to Alice but hidden from 
Eve. Here, Sl is 2n{r + 6) bits long. Finally, Bob 
sends the following quantity to Alice over the public 
channel: 

Sl®Q 

Alice Uses to form a secret key Sq and uses 

"^"IliU(5s fa™ ^ secret key Si. Both Sq,Si are 
nr-bit each. Alice finally sends the following two 
encrypted strings to Bob over the public channel: 

Kq®Sq 

Ki®Si 

Bob Knows ^^Il^uGs hence knows Sjj, thereby 
recovering Kjj from Alice’s public message. 

Lemma 1. A rate o/min{ie 2 (l — ei),ei} is achievable in 
the setup of Figure |2] 

A proof of this lemma is deferred to the Appendix. Below, 
we give a sketch of this proof. 

• (|2| is satisfied for the following reason. Since Bob knows 
both and Bob knows Hence, 

Bob knows the secret key Su and so. Bob can recover 
Ku correctly from Ku (B Su that Alice sends on the 
public channel. 






. © is satisfied because Bob knows nothing about 
Since S-fj is a secret key generated from uGs 

has the same number of bits as Bob will learn 

practically no information about S-fj and, hence, about 
Kjj. 

• Alice can learn about U only from Bob’s public mes¬ 
sages. In the scheme, Alice learns Lo,Li from Bob’s 
public messages. Since Lo,Li are of the same size and 
since the channel acts independently on each input bit, 
Alice learns no information about U. Hence, @. 

• Finally, Eve cannot learn U since the identity of Lq,Li 
remains hidden from her by the secret key S^. Eve only 
learns LqULi and nothing more. Conditioned on knowing 
U, Eve still does not learn {Ko,Ki) since these are 
encrypted using secret keys Sq, Si which are secret from 
Eve. Hence, © is satisfied. 
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Appendix A 
Proof oe Lemma[T] 

In order to prove Lemma [T] we will use a se¬ 
quence {PrilnGN of Protocol [T] and show that for r < 
min { 562(1 - ei), ei}, @ - © hold for {Pn}n&n- 

We note that for the transcript of the public channel is 

F = (G,B,Sl(BQ,Ko(BSo,Ki(BSi). (7) 

Let J be the indicator random variable for the event that 
Bob declares an error and quits. Using Chernoff bound, we 
see that P[J = 1] —)• 0 as n —> oo. 

1) In order to show © holds, given that P[J = 1] —s- 0, it 
suffices to show that P[Ku y Ku\J = 0] —> 0. 

When J = 0, Bob knows and Bob also knows 

Hence, Bob knows As a result. Bob 

knows the secret key Su derived out of 
Hence, Bob can get Ku using Ku © Sjj sent by Alice. 
Thus, P[ku yKu\J = Q]=Q. 

2) In order to show © holds, it will suffice to show that 
I [Kjj] UbI j = 0) —!> 0. All terms and assertions below 
are conditioned on the event J = 0, but this is being 
suppressed for ease of writing. 

liKulVs) 

= I{Kj^;U,YyF) 

= U, F", G, B, Sl © Q, iTo © So, Ki © ^i) 

= U, F”, G, B, Sl © Q, iTc/ © Su, Kjj © Sjj) 

= U, F”, G,B, Q,Ku © Su, Kjj® Sjj) 

[since Bi, is a function of (F", G)] 

= liKjj- U, F", G, B, G, B, Ku®Su,K^® %) 
[since (G, B) is a function of ([/, Q,G,B) and Q is 
a function of {U,G,B)] 

= I {Kjj- U, F", G, B, G, B, Ku,Kjj® Sjj) 

[since Su is a function of (F”, G, G)] 

= I [Kjj-, U, F”, G, B, G, B, Kjj © Sjj) 

[since Ku is independent of all other variables above] 
= I{Kjj-, Kjj © Sjj\U, F", G, B, G, B) 

= I {Kjj; Kjj® Sjj \ [/, F”, F'* | < 5 ^ G, B, G, B) 

= I{Kjj;Kjj®Sjj I F"|^J 
[since -C/,F”,G,B,G,B is a 

Markov chain] 

= I{Kjj;Kjj®Sjj I F"|^J 


— H{Kjj(BSjj I H{Sjj I 

= HiK^(BSjj I X"|Gj-i?(% I X"|<5j 
<|%|-il(% I 

As a consequence of Lemma |2] of Appendix iBl the above 
quantity is small. 

3) In order to show 0 holds, it suffices to show that 
I{U;Va\J = 0) —> 0. All terms and assertions below 
are conditioned on the event J = 0, but this is being 
suppressed for ease of writing. 

I{U-,Va) 

= /([/; 

= I{U; Ko, iLi, X", G, B, Sl © Q, © ^o, Xi © ^i) 

= /([/; Ko, Ki,X”, G, B, Sl © Q, So, Si) 

= I{U; Ko, Ki,X^, G, B, Q, So, Si) 

[since is a function of (X", G)] 

= I{U;Ko,Ki,X^,G,B,Lo,Li,So,Si) 

[since (Lo, Li) is a function of (G, B, Q) ] 

= I{U;Ko,Ki,X^,G,B,Lo,Li) 

[since (So, Si is a function of (X"^, Lo, Li,G))] 

= I{U-Lo,Li) 

[since U — Lo, Li — Kq, Ki,X’^, G,B is a Markov chain] 
= 0 

[since the channel acts independently on each input bit 
and since |Lo| = \Li\] 

4) In order to show 0 holds, it will suffice to show that 
I{Ko, Ki,U',Ve\J = 0) —> 0 as n —>■ oo. All terms 
and assertions below are conditioned on the event J = 0, 
but this is being suppressed for ease of writing. 

I(Ko,Ki,U-,Ve) 

= I{Ku,Kjj,U-,Ve) 

= I{U-, Ve) + I{Kjj-, Ve\U) + I{Ku-, Ve\U, Kjj) 

= I{U- Ve) + I{Kjj-, U, Ve) + I{Ku-, U, Kjj, Ve) 

We will look at each of the above three terms separately. 

I{U-,Ve) 

= /([/; Z-,F) 

= /(G; Z", G, B, Sl © Q, Lfo © ^o, iLi © ^i) 

< I{U-, Z", G, B, Sl © Q, Ko, So, Ki, Si) 

= I{U-, Z'^,G,B,Sl®Q,So,Si) 

[ since Ko,Ki are independent of all the variables above] 
= /(G;5l©Q,^o,^i|^”,G,.B) 

= H{Sl(BQ,So,Si\Z^,G,B)) 
-H{Sl(BQ,So,Si\U,Z^,G,B) 

< I^lI + l^ol + l^il - H{Sl,So, Si\U, Q, Z", G, B) 

= I^lI + \Su\ + |%| - H{Sl, Sc, Sc\U, G, B, Z", G, B) 


[since (G, B) is a function of (U, Q, G, B) and Q is 
a function of (U,G,B)] 

= I^lI + \Su\ + |%| 

-HiSL,Su,Sjj I Z"|g,Z"|<5^,Z"|cJ 
[since Sl, Su, % - Z"|g, Z"|< 5 ^, Z^I^^- 

U,G,B, Z", G,B is a Markov chain ] 
= |^L| + |^C/| + |%|-i?(5L I ZnG,^”lG,,^”lGj 
-H{Su,Sjj I 5i,Z"|G,Z"|c,,Z"|cJ 
= {\Sl\-H{Sl I Z"|gJ) 

+ (l^c/| + l%|-if(5G,% I Z"|g,Z-|cJ) 

[since Sl - Z"|g^ - Z"|g,Z"|g^ and 

S'g,%- Z”|G,Z"|( 5 g - Sl,Z^\q^ are Markov Chains] 

The first term above is small since S'i is a secret key 
against Eve. Lemma |3 of Appendix |B] implies that the 
second term is also small. 

I{Kjj- U, Ve) 

= I{Kjj-,U,Z^,F) 

= I(Kjj- U, Z", G, B, Sl (B Q,Ko® So,Ki® Si) 

= I{Kjj-, U, Z", G, B, Sl ® Q,Ku (B Su,Kjj® Sjj) 

< I{Kjj-, U, Z", G, B, Sl © Q, Ku, Su, Kjj © Sjj) 

= I{Kjj- U, Z", G, B, Sl (BQ,Sc,Kjj(B %) 

[since Ku is independent of all other variables above] 

< I{Kjj- U, Z", G, B, Sl,Q, Su, Kjj © Sjj) 

= I{Kjj- U, Z", G, B, Sl,G, B, Su, Kjj © Sjj) 

[since (G, B) is a function of (U, Q, G, B) and Q is 
a function of (U, G, B)] 

= I{Kjj-Su,Sl,Z^\g,Z'-\^,Kjj(BSjj) 

[since Kjj - Su, Sl, Z^\g, Z^\jj, Kjj (B Sjj - 
U, Z", G, B, G,B is a Markov chain] 

= I{Kjj;Su,Sl,Z^\g,Z^\j,^,Z^\c^,Kjj(BSjj) 

= I{Kjj;Su,Z^\g,Z^\^^,Kjj®Sjj) 

[ since Kjj - Kjj® Sjj, Su, Z"|g, Z"|g^ - Sl, Z"|c, 
is a Markov chain ] 

= I {Kjj-, Su, Kjj® Sjj \ Z”|g,Z"|cJ 
= H{Su,Kjj®Sjj I Z-|g,Z-|cJ 
-H{Su,Sjj I iL^,Z"|G,Z"|cJ 
= H{Su,Kjj®Sjj I Z"|g,Z"|cJ 
-H{Su,Sjj I Z"|g,Z"|c,) 

< |5g| + |%|-G(5g,% I Z"|g,Z-|cJ 

The above term is small as a consequence of Lemma |2] 
in Appendix iBl 

I{Ku-,C,Kjj,Ve) 




U 






Gs 


GsG 


= I{Ku; u, Kc, z^, G, B, Sl 0 Q, © ^o, © Si) 

= I{Ku; U, Kjj, Z", G, B, Sl ®Q,Ku ® Su,Kjj® %) 
= I{Ku; U, Kjj, Sjj, Z", G, B, Sl (BQ,Ku(B Su) 

= I{Ku; U, Sjj, Z", G, B, Sl (BQ,Ku® Su) 


For the second term, we may directly invoke Lemma [2 using 
the fact that \B\ > |S'jj| = nr to conclude that with high 
probability the second term approaches nr. For the hrst term, 
let T be the typical event that the fraction of erasures in 
(Z"|G,Z"|Qg) is at least a £ 2(1 - |)- 


[since Kjj is independent of all other varables above] 

< I{Ku; u, Sjj, Z", G, B, Sl, Q, Ku © Su) 

= I{Ku; U, Sjj, Sl, Z", G, B, G, B, Ku © Su) 

[since (G, B) is a function of (U, Q,G,B) and Q is 
a function of (U,G,B)] 

= I{Ku; Sjj, Sl, Z^\g, Z"|g, Ku © Su) 

[since Ku - Sjj, Sl,Z^\g, Z^\q, Ku © Su- 
U, Z", G, B, G,B is a Markov chain] 

= I{Ku; Sjj, Sl, Z^\g, Z^\^^,Z^\^^,Ku © Su) 

= I{Ku-, Sjj, Z^\g, Z^\g,,Ku © Su) 

[ since Ku-Ku®Su,Sjj,Z'^\g,Z^\c^-Sl,Z^\^^ 
is a Markov chain] 

= I{Ku;Sjj,Ku®Su \ Z^\g,Z^\^J 
= HiSjj,Ku®Su I Z"|G,Z"|gJ 
-H{Sjj,Su I Ku,Z'-\g,Z^\c^) 

= H{Sjj,Ku®Su I Z"|G,Z"|g^) 

-HiSjj,Su I Z"|G,Z"|eJ 

< + I Z"|g,Z'‘|cJ 

The above term is small, again as a consequence of 
Lemma |2l 

Appendix B 
A Useful Lemma 

Lemma 2. Let Alice transmit a sequence X" of i.i.d. Ber(^) 
bits and let Bob define the sets G, B, Gs as in Protocol [7] 
There exists a sequence of codes where 

: (X"|< 5 ^,X"|g) ^ Su and ^ 

Sjj such that l^ul = I'S'jjl = nr and, for n —> 00 , 

1) H{Su,Sjj I Z-|G,Z-|cJ-2nr^0, 

2j H{Sjj I 

Proof: We prove this lemma using a random coding 
argument. The codes (maps) and A4^ are chosen inde¬ 
pendently and uniformly at random from among all possible 
maps. We treat the entropies H{Su,Sjj \ Z^IgjZ^Iq ) and 
H{Su I ^"Ig,) as random variables (which depend on 
the random code). It then suffices to show that with high 
probability they approach 2 nr and nr, respectively. 

We will make use of Lemma |2 which is stated after this 
proof. Consider, 

HiSu,Sjj\Z-\G,Z-\j,^) 

= H{Su I Z-|g, Z-|g^) + H{Sjj I Su, Z-\g, Z"|cJ 


H{Su I Z-|G,Z-|eJ > H{Su I Z"|g,Z"|c^,T)P(T). 

Using the fact that P(T) —J- 1 and invoking Lemma [3] we 
may conclude that the first term also approaches nr with high 
probability. 

We may directly invoke Lemma [2 as we did above for 
the second term to conclude that H{Sjj\X'^\q^) —>■ nr with 
high probability. Hence, by union bound we can conclude 
that with high probability H{Su,Sjj \ Z"|g,Z"|q ) and 
H{Su\X-\^^) approach 2nr and nr, respectively. ■ 

Lemma 3. Let a, 13,6 > Q be such that a (3 + 6 < 1. Let 
X be a vector chosen uniformly at random from {0,1}". Let 
f : {0,1}" —>■ {0,1}”“ be a map chosen uniformly at random 
from all possible maps. Then with high probability over the 
choice of f, the map satisfies the property that for every I C 
{1,2,-•• ,n} with |/| < nfi, and for every y € {0, Ill'll, 
H{f{X)\X\i = y)>na-2-^^. 

Proof: Let us first hx a particular subset I and a re¬ 
alization X\i = y. Without loss of generality, we assume 
|/| = nfi. Let us denote J := 7*^ for simplicity. Now, 
f : X\j 1 -^ {0,1 }'*“ is only a function of the components of X 
in J. Let Li,l 2 , • • • ,Yn denote the images f(X\j,X\i = y) 
of all X\j e {0, Ill'll, where N = 21*^1 = Clearly 

these are independent and uniformly distributed over the 
2”“ binary strings in {0,1}"“. The empirical distribution of 
Yi', i = 1,2, ••• ,iV is denoted as pj. Rest of the proof is 
exactly the same as that of uni Lemma 10]. We repeat it here 
for completeness. 

By Sanov’s theorem, 

Pr [H{pj) <na- 2“"'^] < (A^ + 

where u dentoes the uniform distribution over {0,1}”“, and 
p* = are min D(p\\u). 

p-.Hip)<na-2-^^ 

Clearly, 

D{p*\\u) = na- H{p*) > 2-"-^. 


So 

Pr [H{pj) <na- 2“"^] < (21-^1 + 

^ 2 "( 1 “/ 5 + 1 /")- 2 "“ . 2 - 2 ’*'^’-“'^'■ 2 “"'' 
^ 2-2"“(2"(i-'5-“-'’>-n(l-/3-ri/n))^ 


Since /3 + a + (5 < 1, by union bound, we have 


Pr 


H{pj) < na — 2 for some I and some y € {0, 


< 2 " 


This goes to zero doubly exponentially fast as n ^ 00 . ■ 




